NAT 0 using Network Object NAT in OS 8.6

Hi,
I am trying to create an IPSEC remote access vpn and am working for the first time with Network Object NAT on a 5512 X architecture with 8.6 OS. I would like to know how to create a NONAT scenario with users on the other side using a NAT 0 nat entry so that traffic going to subnets on the other end of the VPN do not get NATTED?
Thanks,
Vick.

Hi,
It would be the following then
object-group network LAN-NETWORKS
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
network-object 192.168.7.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.12.0 255.255.255.0
network-object 192.168.14.0 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object 192.168.21.0 255.255.255.0
network-object 192.168.31.0 255.255.255.0
network-object 192.168.33.0 255.255.255.0
object-group network REMOTE-NETWORKS
network-object 192.168.10.0 255.255.255.0
nat (inside,outside) source static LAN-NETWORKS LAN-NETWORKS destination static REMOTE-NETWORKS REMOTE-NETWORKS
- Jouni

Similar Messages

Multiple NAT to network

I am trying to do the following on an ASA 5505 with Security Plus licensing.
public IP ASA private IP ASA
199.185.3.25 <-------192.168.1.254
                  ^
                  |--------192.168.2.254
                  ^
                  |-------- 192.168.3.254
I want the 192.168.1.0/24 and 192.168.2.0/24 to NAT to the internet.
I can get the first subnet to work. I can get hosts on each of the two subnets ping each other. However, if I try to ping an external site 4.2.2.2., the first subnet works, the second one does not.
I am enclosing the running-configuration from IOS 8.4. Any insights as to what I'm missing to get the second network to be able to send and receive packets to an internet connection?
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.01.05 21:03:36 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
ASA Version 8.4(6)
hostname INFOASA01
names
interface Ethernet0/0
interface Ethernet0/1
switchport access vlan 4
interface Ethernet0/2
switchport access vlan 5
interface Ethernet0/3
switchport access vlan 2
interface Ethernet0/4
switchport access vlan 2
interface Ethernet0/5
switchport access vlan 2
interface Ethernet0/6
switchport access vlan 2
interface Ethernet0/7
switchport access vlan 2
interface Vlan1
nameif outside
security-level 25
pppoe client vpdn group PPP
ip address pppoe setroute
interface Vlan2
nameif inside
security-level 75
ip address 192.168.1.254 255.255.255.0
interface Vlan3
description Wireless
shutdown
no nameif
no security-level
no ip address
interface Vlan4
description home-network
nameif inside-46
security-level 50
ip address 192.168.3.224 255.255.255.0
interface Vlan5
nameif inside5
security-level 75
ip address 192.168.2.254 255.255.255.0
interface Vlan98
description VPN client
no nameif
security-level 90
ip address 192.168.98.254 255.255.255.0
interface Vlan99
no nameif
no security-level
no ip address
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_25
host 192.168.1.249
object network obj_143
host 192.168.1.249
object network obj_1677
host 192.168.1.249
object network obj_444
host 192.168.1.249
object network obj_443
host 192.168.1.246
object network obj_22
host 192.168.1.249
object network obj_21
host 192.168.1.247
object network obj_8009
host 192.168.1.249
object network obj_39833
host 192.168.1.88
access-list smtp extended permit tcp any host 66.18.210.142 eq smtp
access-list smtp extended permit tcp any host 192.168.1.249 eq smtp
access-list smtp extended permit tcp any host 192.168.1.249 eq imap4
access-list smtp extended permit tcp any host 192.168.1.249 eq 1677
access-list smtp extended permit tcp any host 192.168.1.249 eq https
access-list smtp extended permit tcp any host 192.168.1.246 eq https
access-list smtp extended permit tcp any host 192.168.1.247 eq ftp
access-list smtp extended permit tcp any host 192.168.1.249 eq ssh
access-list smtp extended permit tcp any host 192.168.1.249 eq 8009
access-list smtp extended permit tcp any host 192.168.1.88 eq 3389
no pager
logging asdm informational
mtu outside 1460
mtu inside 1500
mtu inside-46 1500
mtu inside5 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network obj_25
nat (inside,outside) static interface service tcp smtp smtp
object network obj_143
nat (inside,outside) static interface service tcp imap4 imap4
object network obj_1677
nat (inside,outside) static interface service tcp 1677 1677
object network obj_444
nat (inside,outside) static interface service tcp https 444
object network obj_443
nat (inside,outside) static interface service tcp https https
object network obj_22
nat (inside,outside) static interface service tcp ssh 40022
object network obj_21
nat (inside,outside) static interface service tcp ftp ftp
object network obj_8009
nat (inside,outside) static interface service tcp 8009 8009
object network obj_39833
nat (inside,outside) static interface service tcp 3389 39833
access-group smtp in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
snmp-server location Home1
snmp-server contact network admin
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 3
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 15
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group PPP request dialout pppoe
vpdn group PPP localname **********************
vpdn group PPP ppp authentication chap
vpdn username *********.com password ***** store-local
dhcpd auto_config inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username ***** password ******* encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d2e31f51f0af551900f9fb8b5dd3ea72
: end
INFOASA01(config)# packet-tracer input inside5 tcp 192.168.2.200 12345 4.2.2.2 12345
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5605, packet dispatched to next module
Result:
input-interface: inside5
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
INFOASA01(config)#packet-tracer input inside5 tcp 192.168.1.200 12345 4.2.2.2 12345
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.1.200/12345 to 199.185.3.25/12345
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5633, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
INFOASA01(config)# icmp    debug icmp tra
debug icmp trace enabled at level 1
INFOASA01(config)# ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=0 len=56
ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=1 len=56
ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=2 len=56
ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=3 len=56
ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=4 len=56
b ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=140 len=32
ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=140 len=32
ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=141 len=32
ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=141 len=32
ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=142 len=32
ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=142 len=32
ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=143 len=32
ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=143 len=32
ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
no debug icmp tra
debug icmp trace disabled.
INFOASA01(config)#

Hello Paul,
Yes, there is a order within the NAT on 8.3 and higher
1) Manual Nat or Twice Nat
2) Object Nat (the one being used here)
3) After-Auto Nat
Inside the Object-Nat the order will be done automatically by the firewall taking place the static entries and more specific.
So if you enter that command you will be translating only the subnet within the obj_any 5 from the inside5 to the outside.
Hope I was clear hehe
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com

Solaris 10 as router using ipfilter and nat

Hi,
I installed Solaris 10 on a second disk on an Ultra 5, but have no
success on using
ipfilter with NAT.
I have it working on the first disk with Solaris 9 and ipfilter 3.4.35.
I have pfil on both interfaces (hme0 internal and qfe0
external-internet) and ipfilter enabled. I used the working rule sets
from Solaris9 and have ip-forwading enabled. IPFilter is working on the
external interface, but none of the hosts on the internal network can
connect through the router to the internet, but they can ping both
interfaces.
I had the same problem with Solaris 9 using ipfilter 4.x and had to go
back to 3.4.35.
ipfstat shows all rules are loaded and ipnat -l shows the rules, but no
connections. ndd -get /dev/ip ip_forwarding returns 1.
Following are my rules:
ipf.conf
lock in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
block in log quick proto tcp all with short
block in log quick proto icmp all with frag
block in log quick on qfe0 from 10.0.0.0/8 to any
block in log quick on qfe0 from 127.0.0.0/8 to any
block in log quick on qfe0 from 169.254.0.0/16 to any
block in log quick on qfe0 from 172.16.0.0/12 to any
block in log quick on qfe0 from 192.0.2.0/24 to any
block in log quick on qfe0 from 192.168.0.0/16 to any
block in log quick on qfe0 from 204.152.64.0/23 to any
block in log quick on qfe0 from 224.0.0.0/3 to any
block in log quick on qfe0 from aaa.aaa.aaa.0/24 to any
block in log quick on qfe0 from any to aaa.aaa.aaa.0/32
block in log quick on qfe0 from any to aaa.aaa.aaa.255/32
block in log on qfe0 all
block out quick on qfe0 proto tcp/udp from any port 136 >< 140 to any
block out quick on qfe0 proto tcp/udp from any to any port 136 >< 140
pass out quick on qfe0 proto tcp all flags S/SA keep state keep frags
pass out quick on qfe0 proto udp all keep state keep frags
pass out quick on qfe0 proto icmp all keep state keep frags
pass out quick on qfe0 all
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on hme0 all
pass out quick on hme0 all
ipnat.conf:
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port ftp ftp/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port 7070
raudio/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port 1720
h323/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 portmap tcp/udp auto
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32
aaa.aaa.aaa.aaa = internal network
bbb.bbb.bbb.bbb = external
My routeadm statement shows:
Configuration Current Current
Option Configuration System State
IPv4 forwarding enabled enabled
IPv4 routing enabled enabled
IPv6 forwarding disabled disabled
IPv6 routing disabled disabled
IPv4 routing daemon "/usr/sbin/in.routed"
IPv4 routing daemon args ""
IPv4 routing daemon stop "kill -TERM `cat /var/tmp/in.routed.pid`"
IPv6 routing daemon "/usr/lib/inet/in.ripngd"
IPv6 routing daemon args "-s"
IPv6 routing daemon stop "kill -TERM `cat /var/tmp/in.ripngd.pid`"
Any suggestion what more checks I should do or what additional information is needed.
Regards,
Horst

Hi,
I installed Solaris 10 on a second disk on an Ultra 5, but have no
success on using
ipfilter with NAT.
I have it working on the first disk with Solaris 9 and ipfilter 3.4.35.
I have pfil on both interfaces (hme0 internal and qfe0
external-internet) and ipfilter enabled. I used the working rule sets
from Solaris9 and have ip-forwading enabled. IPFilter is working on the
external interface, but none of the hosts on the internal network can
connect through the router to the internet, but they can ping both
interfaces.
I had the same problem with Solaris 9 using ipfilter 4.x and had to go
back to 3.4.35.
ipfstat shows all rules are loaded and ipnat -l shows the rules, but no
connections. ndd -get /dev/ip ip_forwarding returns 1.
Following are my rules:
ipf.conf
lock in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
block in log quick proto tcp all with short
block in log quick proto icmp all with frag
block in log quick on qfe0 from 10.0.0.0/8 to any
block in log quick on qfe0 from 127.0.0.0/8 to any
block in log quick on qfe0 from 169.254.0.0/16 to any
block in log quick on qfe0 from 172.16.0.0/12 to any
block in log quick on qfe0 from 192.0.2.0/24 to any
block in log quick on qfe0 from 192.168.0.0/16 to any
block in log quick on qfe0 from 204.152.64.0/23 to any
block in log quick on qfe0 from 224.0.0.0/3 to any
block in log quick on qfe0 from aaa.aaa.aaa.0/24 to any
block in log quick on qfe0 from any to aaa.aaa.aaa.0/32
block in log quick on qfe0 from any to aaa.aaa.aaa.255/32
block in log on qfe0 all
block out quick on qfe0 proto tcp/udp from any port 136 >< 140 to any
block out quick on qfe0 proto tcp/udp from any to any port 136 >< 140
pass out quick on qfe0 proto tcp all flags S/SA keep state keep frags
pass out quick on qfe0 proto udp all keep state keep frags
pass out quick on qfe0 proto icmp all keep state keep frags
pass out quick on qfe0 all
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on hme0 all
pass out quick on hme0 all
ipnat.conf:
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port ftp ftp/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port 7070
raudio/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port 1720
h323/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 portmap tcp/udp auto
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32
aaa.aaa.aaa.aaa = internal network
bbb.bbb.bbb.bbb = external
My routeadm statement shows:
Configuration Current Current
Option Configuration System State
IPv4 forwarding enabled enabled
IPv4 routing enabled enabled
IPv6 forwarding disabled disabled
IPv6 routing disabled disabled
IPv4 routing daemon "/usr/sbin/in.routed"
IPv4 routing daemon args ""
IPv4 routing daemon stop "kill -TERM `cat /var/tmp/in.routed.pid`"
IPv6 routing daemon "/usr/lib/inet/in.ripngd"
IPv6 routing daemon args "-s"
IPv6 routing daemon stop "kill -TERM `cat /var/tmp/in.ripngd.pid`"
Any suggestion what more checks I should do or what additional information is needed.
Regards,
Horst

Static NAT using access-lists?

Hi,
i have an ASA5520 and im having an issue with static nat configuration.
I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.
This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.
I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.
Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?
My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...
Thanks,
Des

Des,
You need to create an access-list to be used with the nat 0 statement.
access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255
- this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2
then use NAT 0 statement:
nat (inside) 0 access-list inside_nonat
to permit outside users to see inside addresses without NAT, flip this logic.
access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
nat (outside) 0 access-list outside_nonat
you'll also have to permit this traffic through the ACL of the outside interface.
access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
- Brandon

Guide or instruction about build and config NAT for network.

Hey everybody. I’m having learn CCNA CISCO, I have a problem when I build a network, a network required that: Construct and build a topo network have 4 Router, 6 Switch, 8 PC, auto set and config IP address for communication between equipment in your topo network. Give some suggest : 3->4 IP front, 1 range 4 IP route, 2 range 8 IP route, 1 range 16 IP route. Les’t raise, give method and config NAT for it network with: Static NAT, Dynamic NAT, PAT and NAT co-ordinate.
Please give some guide or instruction me about that lab, Thank very much

Hey all here is a topo (model) network I do by myself and I have cofig NAT for it. Please see, check, fix error or guide me to fix error if it have error. Thank very much.
As a subject I have propose use a IP range is 200.200.5.1/27
b/Static NAT for IP PC8 192.16.6.1 to become IP 200.200.5.1 with a Network outside.
Router3(config)#ip nat inside source static 192.168.1.2 200.200.5.1
Router3(config)#interface fa 1/0
Router3(config-if)#ip nat inside
Router3(config-if)#interface s 0/0
Router3(config-if)#ip nat outside
a/ Accept PC in LAN 192.168.5.1/24 go out internet, this IP will be nat by IP range 200.200.5.1-> 200.200.5.6 (IP 200.200.5.1 have use for Static NAT but we can reuse).
Router3(config)#access-list 1 permit 192.168.5.0 0.0.0.255
Router3(config)#ip nat pool natdong 200.200.5.1 200.200.5.6 netmask 255.255.255.248
Router3(config)#ip nat inside source list 1 pool natdong
Router3(config)#interface fa 0/0
Router3(config-if)#ip nat inside
Router3(config-if)#interface s 0/0
Router3(config-if)#ip nat outside
c/ Accept PC in 2 LAN 192.168.1.0/24 and 192.168.2.0/24 go out internet, this IP range will be NAT by IP range 200.200.5.33-> 200.200.5.48 (16 Ip address)
Router3(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Router3(config)#access-list 1 permit 192.168.2.0 0.0.0.255
Router3(config)#ip nat pool natpat 200.200.5.33 200.200.5.48 netmask 255.255.255.224
Router3(config)#ip nat inside source list 1 interface serial 0/0 overload
Router3(config)#ip nat inside source list 1 pool natpat overload
Router3(config)#interface fa 0/0
Router3(config-if)#ip nat inside
Router3(config)#interface fa 1/0
Router3(config-if)#ip nat inside
Router3(config-if)#interface s 0/0
Router3(config-if)#ip nat outside
[b]Note: My ability of English is not good so please sympathize for spelling mistake[/b]

Reset CAN Network Object using NI-XNET

This post
http://forums.ni.com/t5/Automotive-and-Embedded-Networks/How-can-I-reset-a-NI-CAN-network-object-wit...
mentions that there is a better way to reset an NI CAN network object using the NI-XNET API. Can someone please share how to do this using XNET? What's the equivalent of ncReset in XNET?
Thanks.

Sima,
Unfortunately, XNET does not have an implementation of a board reset. There certainly are cases in which one would be useful, so you can always fill out a Product Suggestion. If you do decide to do that, which I definitely encourage you to do, be sure to include as many specifics about the scenario as you can to show that you really do need a board reset and not just an XNET clear. Hopefully this feature will get implemented in the future with this feedback, and I'm sorry there isn't a better solution right now.
Best,
Jen W
Applications Engineer
National Instruments

NATting using the same interface ?

hi there,
I was wondering, is it possible to set up NAT/PAT for packets arriving/leaving (after being routed) the same interface , e.g. not going "through" the router ?
I think that this is not possible but I need to be sure... Any help ?
Thanks,
Alex

That is called nat on a stick.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
Once you understand how to do this NAT will never confuse you again.
There may be a newer method with the new NAI interfaces in the latest IOS but I have not had time to test this and have not seen any documentation on using these new nat features for this purpose.

Can I create a network object from CIDR format or do I need to use IP - netmask?

Have a cisco ASA running ASA V 8.3
Wondering what the correct syntax is or even if it is possible to create a network object from a list of IP's in CIDR format?
Typically just do this:
Create network-object
object-group network name
network-object 1.2.3.0 255.255.255.0
Would like to do this:
network-object 1.2.3.0/24
thanks!

Hi,
As far as I know the ASA does not support entering a network/subnet mask in such format in any of its configurations.
- Jouni

ASDM multiple network objects vs group for rules

I was just curious if there are any performance benefits of using multiple network objects on multiple rules vs consolidating them into fewer rules by grouping them?
For example, I have about 10 lines of NAT exempt rules from the same source to multiple destinations. Is there anything to be gained if I consolidated those into a single rule using an object group for the multiple destinations aside from cleaning up the clutter in ASDM?
Thanks

Hello Tony,
Of course, it will be better because the processing that the ASA is going to use to determine witch rule to match would be decremented, also it would take less space on the configuration file (memory). those are some of the pros regarding creating groups for particular rules.
Sometimes a huge configuration file can increment the CPU usage,etc,etc. so it is better to keep it as small and organized as possible.
Please rate helpful posts.
Regards,
Julio

Multiple Network Object pointing to same IP address

I have what i hope is not a unique problem. I have two ISP's and I want to be able to use failover between the two ISP's. The problem I cannot seem to overcome is that I want to be able to have outside email come in and connect to the same server. If I put in the config below into my ASA, it returns an error that I cannot have two network objects pointing to the same IP.
Is there a way around this?
I'm running v9.1 for my ASA.
object network mail-server
host 192.168.1.10
object network mail-server2
host 192.168.1.10

This might be a problem with the code, you can do that with previous codes.
You can use the same object multiple times and it will work just as if you had two of them.
The following would be a workaround for that issue, but it has to be a problem with the code
object network mail-server
host 192.168.1.10
Object service MAIL
service tcp destination eq 25
nat (inside,outside) source static mail-server service MAIL MAIL
nat (inside,outside1) source static mail-server service MAIL MAIL

ASA 5520: Create Network Object for range of hosts?

Hi,
I'm new to Cisco Firewalling. I'm migrating our network objects from our current firewall to a new ASA 5520 configuration. I'm using ASDM 6.4 for configuration.
We have a range of IP addresses for hosts that we need to add to a firewall rule/ACL. In the previous FW software I could create an object that was a range of IP address. For example there is an object called emailservers that is defined as 192.168.2.25-192.168.2.50.
Is there a way to do a similar thing on the ASA 5520?
I can see how to create subnets, but in this case I only have a range of IP addresses, no subnet mask.
Any help greatly appreciated.

Sure there is,
hostname(config)# object network TEST2
hostname(config-network-object)# range 10.1.2.1 10.1.2.70
No need for subnet masks, this will be a Object network, not an Object-group of type network. Now in 8.3 they are a lot different.
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html
Check this doc for reference.
Cheers,
Mike

Launch Configuration using CIO object

Hi,
I am trying to launch Configuration using CIO object.
plz find the code below, that am using.
===========START CODE==================
Context context = new CZWebAppsContext("hostName","portNumber","dbcFileName");
System.out.println("------------- Context object created ----------");
ConfigParameters cp = new ConfigParameters(79160);
System.out.println("------------- ConfigParameters object created ----------");
CIO cioObject = new CIO();
System.out.println("------------- CIO object created ----------");
Configuration config = cioObject.startConfiguration(cp,context);
System.out.println("------------- Configuration object created ----------");
IUserInterface ui = config.getUserInterface();
System.out.println("------------- UI object created ----------");
ui.navigateToScreen("Page-1");
System.out.println("------------- Page navigation ----------");
=============END CODE==================
am getting the following error after CIO object is created, while trying to start the configuration, at cioObject.startConfiguration(cp,context). The hostName, portNumber and dbcFileName are correctly provided.
============START LOG ====================
------------- Context object created ----------
------------- ConfigParameters object created ----------
------------- CIO object created ----------
java.lang.RuntimeException: Null JDBC Connection returned from connection pool.
Contents of CZWebAppsContext error stack: AOLJ_JAVA_EXCEPTION (MESSAGE=Not able to create new database connection. Cause:java.sql.SQLException: Io exception: The Network Adapter could not establish the connection)
SECURITY-No gateway reconnect
SYSTEM-ERROR (MESSAGE=Io exception: The Network Adapter could not establish the connection)
     at oracle.apps.cz.common.CZWebAppsContext.getJDBCConnection(CZWebAppsContext.java:116)
     at oracle.apps.cz.dio.DbTransaction.<init>(DbTransaction.java:61)
==============END LOG=======================
plz help me in finding the solution.
Regards,
Adarsh

Adarsh,
Looks like the parameters passed in the constructor call are not valid ones and hence the database connection is not getting done.
Context context = new CZWebAppsContext("hostName","portNumber","dbcFileName");
Check the above call carefully and its parameters. I guess the dbcFileName might be the reason as other 2 entries are pretty easy to know.
--Shiv

Checking the IP of network object

Hi Everyone,
I am trying to find the IP of network object.
when i ran the command --
sh run object-group network --- it shows
object-group network XYZ
network-object Cisco_1 255.255.255.0
Need to find the IP of this Cisco_1?
Thanks
Mahesh

Hi Mahesh,
To me it seems that "Cisco_1" is a "name" configured on the ASA itself
So its not a name of an "object" or and "object-group"
Try this command and see what it shows
show run name | inc Cisco_1
It should give you the actual IP address associated with that name. Its probably some network address since we can see from your post that there is a /24 mask associated.
Alternatively you can just use the command
show run name
And find the correct name/IP pairing from the list. Depending on the environment, there might be several of these.
If you want to disable this mapping between a "name" and an IP address you can use the following command
no names
After this if you issue the command "show run object-group XYZ" you should be able to see an IP address instead of an "Cisco_1"
Personally I NEVER map an IP address to a "name". I think it just makes troubleshooting harder. It might be fine for people that use ASDM, but I use only CLI so it doesnt do me much good
Hope this helps
- Jouni

Freeze tracks that use instrument objects: explode by midi channel?

Hello everyone,
I've hit a CPU and/or Disk speed wall and need to start freezing tracks. I've setup my environment to use "instrument objects" to control my sampler instruments, allowing for most of my instruments to access multiple articulations from one track. Great method for composition/arranging, but unfortunately it makes freezing instruments a challenge!
I know other users employ a similar method in their own Logic setups, and was wondering how do you guys deal with freeze files? Is there an "explode by midi channel" function which will separate a single track into multiple tracks per midi channel, which I can then easily freeze?
In a somewhat related question, how do you guys with similar setups use folders? Can I put all these "exploded" parts back into a folder for organizational purposes?
Thanks in advance for your reply!

Jonathan,
I'm very very slow to adopting the freezing of tracks to free up resources. I highly doubt that I'll be using it much in the future, because I don't like the fact that the behavior of simple commands like CMD-A doesn't work to select frozen tracks. There are other things about freezing that interrupt my work methods.
I'm very seriously considering getting a second computer to act as an orchestral "module" which I can play via MIDI (over a network, preferably). Based on my experiences during my latest project, doing 4 complex orchestrations, I can see that the amount of time and trouble it takes to freeze tracks/disable instruments to free up resources, and then re-enable them if a change is needed to any given part, will get very long in the tooth after a while. The biggest problem with this is running the risk of Logic crashing when it runs out of RAM.
So for now I'll use the occasional frozen track, or print parts as needed to free up instruments, but budget willing, not for much longer.
Best,
-=iS=-

Migrate network object group members; risk

       We upgraded to new 5555 hardware and jumped from 8.2 to 9.1 last year. Our objects listing is now a bit messy. I have never run the "Migrate Network Object Group Members" menu option in asdm. I see what it is going to do, I am not sure it really helps me clean old objects, it seems low risk, but when I walk up to execution, there are a lot of changes it wants to make. We always save backup configurations but, if there are "gotchas" I don't want to put the company in that position. What has been the communities, Cisco's experience? Thanks for any feedback. jc

John,
if you feel that is risky, you can always go for plan B.
- you can take closure look at the object groups and decide new object naming convention policy.
- from ASDM or CSM, you can see overlapped or duplicate rules, so you can start with reducing them
- you can see same services used in couple of rules with different service groups.
     - like object-group service WEB-PORTS tcp
                    port-object eq http
                    port-object eq https
             object-group service APPLICATION-PORTS tcp
                    port-object eq http
                    port-object eq https
               object-group service APPS-PORT tcp
                    port-object eq www
                    port-object eq https
- you can replace all these different object-group with one object group. like WEB-PORTS.
- same way you can do excercise for network group as well.
hope this helps.
JD...

NAT 0 using Network Object NAT in OS 8.6

Similar Messages

Maybe you are looking for